Challenge Failure


#1

Doing a manual cert request:
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d XXX.com --rsa-key-size 4096 -a manual certonly

Getting instruction to create challenge file http://XXX.com/.well-known/acme-challenge/UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s with content UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s.c-j1MpCJoyn5EjDnf8auyEYOphrhsG34IV7Ckb_nQUM which I created:

root@XXX:/var/www/vhosts/XXX.com/httpdocs/.well-known/acme-challenge# ls -la
-rw-r–r-- 1 root root 88 Nov 15 13:13 UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s

When continuing, I get: Self-verify of challenge failed, authorization abandoned.

In the Apache logs, I can see that the request actually happened and was successful (200):
XXX - - [15/Nov/2015:13:15:29 +0100] “GET /.well-known/acme-challenge/UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s HTTP/1.1” 200 453 “-” “python-requests/2.8.1”

If I do a curl to the same URL, I get “correct” answers, I think:
root@XXX:~# curl -v http://XXX.com/.well-known/acme-challenge/UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s

  • Hostname was NOT found in DNS cache
  • Trying XXX…
  • Connected to XXX.com (XXX) port 80 (#0)

GET /.well-known/acme-challenge/UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s HTTP/1.1
User-Agent: curl/7.35.0
Host: XXX.com
Accept: /

< HTTP/1.1 200 OK
< Date: Sun, 15 Nov 2015 12:17:38 GMT

  • Server Apache is not blacklisted
    < Server: Apache
    < Last-Modified: Sun, 15 Nov 2015 12:13:16 GMT
    < ETag: “58-5249337a70b19”
    < Accept-Ranges: bytes
    < Content-Length: 88
    < Vary: Accept-Encoding
    < X-Powered-By: PleskLin
    < Content-Type: text/plain
    <
    UYq1Tqk7FoPu_xdbp0URnThc-i4T0S4O3HfDXB6ql-s.c-j1MpCJoyn5EjDnf8auyEYOphrhsG34IV7Ckb_nQUM
  • Connection #0 to host XXX.com left intact

What am I missing?


#2

Try calling letsencrypt with verbose flag (-v), that might show a better error message.

Some text editors automatically add a trailing line break when saving a file, or automatically do some kind of line wrapping. Make sure that’s not what happened.


#3

Thank you! I’m using vim. When I ran letsencrypt with -v I got:

2015-11-15 20:23:21,049:DEBUG:acme.challenges:Key authorization from response (u’AYjojVeyOpcIKqhzfzT3q9sR9Pw0EJVsnaKR-KqgrsU.c-j1MpCJoyn5EjDnf8auyEYOphrhsG34IV7Ckb_nQUM’) doesn’t match HTTP response (u’AYjojVeyOpcIKqhzfzT3q9sR9Pw0EJVsnaKR-KqgrsU.c-j1MpCJoyn5EjDnf8auyEYOphrhsG34IV7Ckb_nQUM\n’)

so there seems to be a \n added by vim to the end of the file. When I use printf “%s” KEY > FILE it works…

Conclusion: using vim is a bad idea…